...or it should!

This is a refreshing change from the usual "A maliciously-crafted URL could cause your web browser to display a page security icon when the page is not secured" thing where attackers have spent 15 hours finding this tiny little security hole that doesn't really matter anyway.  This is more of a "You could accidentally find this security flaw" that Apple is so fond of, such as the local root shell from the Recent Applications and the "automatically run shell scripts from inside Zip files".

Anyway, here's the story. Someone could include an IFRAME on their website which is linked straight to an executable file, and Safari 3 will automatically download the file without even putting it into the Downloads window. An example:

<iframe height=1 width=1 src="setup.exe" />

Notice that I've used the name "setup.exe" to refer to the malicious file, as that's generally what a malicious program will do - it will pretend to be an installer of some sort, so you'll see it and not remember what it installs - so you'll double-click it to find out. And then your computer is THEIRS.

Even Internet Explorer 6 gives you a warning if a website tries to download an executable in an IFRAME.

Dumber and dumber, this bug wasn't just introduced by the team porting Safari to Windows. The same bug is present on the iPhone. Whoops. That "industrial-strength Unix base" is looking more like a Microsoft-strength XENIX base :-)

EDIT: I previously said that the bug was present on Mac OS X - I was mistaken, there is no word of the bug being present on OS X.  However, the Storm worm is already doing the same sort of thing except with a 14 year-old security flaw in Windows (judging files by filename extension rather than by their actual contents)

How long does a virus live and spread for? A couple of months? Maybe a month or so of rapid spreading, then infection rates start to stagnate? Note that I am using the word "virus" to refer to worms and trojans, too, as they are all subspecies of "virus".

How about 9 months and counting?

The Storm worm (supposedly the most well-known current virus, but I hadn't heard of it before yesterday) spread extremely rapidly one week in January 2007, and is still growing in October 2007. The virus is forming a botnet comprising of (estimates range) between 1 million and 50 million Windows computers. This botnet is being used to send spam and reproduce.

What's so scary about this virus?

• It is decentralised - unlike most botnets, commands are not sent through an IRC channel that all the infected computers are connected to. Instead, the crackers who created the virus merely have to connect directly to one computer, send the command, then disconnect. The infected computer sends the command on to other computers it knows about in the network, and they send the command on, etc etc.  Traditional techniques for finding the culprit DO NOT WORK because 99.999999% of infected computers have never been in direct contact with the crackers.
• Storm is patient - no compromised computer attacks 100% of the time, which helped it fly underneath the radar for a long time.
• It has survived a Malicious Software Removal Tool update. Microsoft has put a definition for the worm into its MSRT, and pushed that update out to legitimate Windows users. In theory, that should have killed the botnet stone dead, as Windows computers would update their MSRT and the tool would delete the virus. But this has not happened; the botnet has been weakened by 20%, but the virus continually alters itself to escape detection and is continuing to spread.
• The virus has a self-defence system, which prevents anyone from scanning the ports that the virus opens. If the virus detects a port scan, it commands the rest of the botnet to commit Denial-of-Service attacks against the address of the computer that is doing the port scanning.
• Therefore, the virus already has the ability to commit DoS attacks. The massive combined bandwidth of these compromised computers is enough to bring down backbone nodes with a well-placed DoS attack - the effect would be that an entire country or two would lose its internet access.
• The botnet has already used DoS attacks against anti-spam websites.
• 1.2 billion e-mails have been sent by the botnet. 57 million were sent on 22 August 2007 ALONE.
• The virus has recently evolved - it no longer just sends spam, it also infects web servers running various Windows Server flavours. There is co-operation between these prongs of attack; the spam messages are advertising TOR (an anonymous internet surfing program), and linking to infected computers that are serving up the virus binary.
• The botnet has more processing power and bandwidth than the top 500 supercomputers COMBINED.
• Only approximately 10-20% of the botnet's power has been brought to bear yet.

Scared yet?  I am.  I no longer think that the category of "I don't need to worry about it" applies! I don't need to worry about actually getting the Storm worm, because I am careful about what attachments I open, and I have faith in the ability of my operating system (Linux) to protect my computer. But I'm scared of what the full power of this botnet could do.

Here are some good links to articles about Storm, just to get you more worried:

http://www.schneier.com/blog/archives/2007/10/the_storm_worm.html
http://en.wikipedia.org/wiki/Storm_Worm
http://www.youtube.com/watch?v=kH8cS1AkqiI - this is purportedly a map of Storm infections in January, but I'm not sure if this video is genuine or fake.
http://arstechnica.com/news.ars/post/20070902-storm-worm-adds-millions-of-computers-to-botnet.html
http://www.informationweek.com/news/showArticle.jhtml?articleID=201200849
http://blog.washingtonpost.com/securityfix/2007/10/the_storm_worm_maelstrom_or_te.html
http://en.wikipedia.org/wiki/Storm_botnet
http://seclists.org/fulldisclosure/2007/Aug/0520.html

Apple is very red-faced. Despite its best efforts to lock the iPhone customers to AAPT and lockdown the phone to only "trusted" applications, the hackers have written programs that allow third-party applications to be installed AND for the phones to be unlocked from the AAPT network. Not surprising considering the iPhone uses OS X as its operating system.

So, in the new iPhone firmware upgrade, Apple has designed it to "brick" any modified iPhones. Yes: If you add capabilities to your iPhone, and then try to upgrade the phone's official firmware, your phone gets stuck on the "Activate" screen and becomes USELESS.

But I don't need to worry about it. I'm not one of the zusbuns who just *had* to buy an overpriced, over-restrictive phone from a company that has a history of hating expandability and of supporting DRM.

I mean, fucking hell. People are purposely not upgrading to the new firmware, because they prefer their iPhone to have the capabilities that third-party developers have given them than to have the tiny new features that Apple is offering. If that's not a sign that the iPhone is a failure as a product, then I don't know what is.

Apple has released their second biggest security update of the year, covering 25 vulnerabilities in 20 components.

Most of the vulnerabilities could allow an attacker to execute malicious code, although no exploits have been reported so far. Components at risk include iChat, fetchmail and Libinfo. Apple has also addressed an issue with the Login Window that would allow the local user to obtain system privileges and execute arbitrary code. You can learn more about the vulnerabilities here.

Early indications suggest that the update is safe to run on OSX86 installations.

---------
From insanelymac.com. Happily, I don't have to worry about when my OS vendor is going to drop another set of security updates. Whenever security problems are found with Ubuntu's supported programs, and patches are available from the developers, Ubuntu packages them and pushes them immediately to users, rather than waiting until they've got a big set and releasing them all at once.

EDIT: Apple has got a terrible security record; I just checked the list of what this update entails:

1. A fix for an installer bug found in the Month Of Apple Bugs. The MOAB was Janurary. It is now April.

2. THREE bugs from last year, two of them with "arbitrary code execution". Actually, it seems that all the security patches this time are for arbitrary code execution, except for the third 2006 bug - that's one which conveniently sends passwords over the Internet in cleartext. And THIS bug was fixed upstream in November 2006!

What the fsck is Apple thinking? This security hole is bigger than the Goatse Man's anus, and they've taken 5 months to distribute the fix!

'Storm Worm' Trojan horse surges on

       

                                                        By                                       Tom Espiner                                
                Special to CNET News.com
                                                            

 

  Published: January 22, 2007, 6:30 PM PST  

 

  Many home PC users may have been infected after a large-scale sustained Trojan horse attack that took place over the weekend, security vendors believe.

The Trojan, named "Storm Worm" by antivirus vendor F-Secure, first started to spread on Friday as extreme storms engulfed Europe. The e-mail claimed to include breaking news about the weather, in an attempt to get people to download an executable file.

Over the weekend there were six subsequent waves of the attack, with each e-mail attempting to lure users into downloading an executable by promising a topical news story. There were e-mails that purported to carry news of an as-yet-unconfirmed missile test by the Chinese against one of its weather satellites, and e-mails reporting that Fidel Castro had died.

Each new wave of e-mails carried different versions of the Trojan horse, according to F-Secure. Each version also contained the capability to be updated, in an attempt to stay ahead of antivirus vendors.

"When they first came out, these files were pretty much undetectable by most antivirus programs," said Mikko Hypponen, director of antivirus research at F-Secure. "The bad guys are putting a lot of effort into it--they were putting out updates hour after hour."

As most businesses tend to strip executable files out of e-mails they receive, Hypponen said he expected that companies would not be overly affected by the attacks.

However, F-Secure said that hundreds of thousands of home computers could have been affected across the globe.

Once a user downloads the executable file, the code opens a backdoor in the machine which that it to be remotely controlled, while installing a rootkit that hides the malicious program. The compromised machine becomes a zombie in a network called a botnet. Most botnets are currently controlled through a central server, which--if found--can be taken down to destroy the botnet. However, this particular Trojan horse seeds a botnet that acts in a similar way to a peer-to-peer network, with no centralized control.

Each compromised machine connects to a list of a subset of the entire botnet--around 30 to 35 other compromised machines, which act as hosts. While each of the infected hosts share lists of other infected hosts, no one machine has a full list of the entire botnet--each has only a subset, making it difficult to gauge the true extent of the zombie network.

This is not the first botnet to use these techniques. However, Hypponen called this type of botnet "a worrying development."

Antivirus vendor Sophos called Storm Worm the "first big attack of 2007," with code being spammed out from hundreds of countries. Graham Cluley, senior technology consultant for Sophos, said the company expected more attacks over the coming days, and that the botnet would most likely be hired out for spamming, adware propagation, or be sold to extortionists to launch distributed denial-of-service attacks.

The recent trend has been toward highly targeted attacks on individual institutions. Mail services vendor MessageLabs said that this current malicious campaign was "very aggressive," and said that the gang responsible was probably a new entrant to the scene, hoping to make its mark.

None of the anti-malware companies interviewed said they knew who was responsible for the attacks, or where they had been launched from.

Tom Espiner of ZDNet UK reported from London.

-----------------------

It's been a while since my last "I don't need to worry about it" post, but expect this section to get more coverage this year with the release of Windows Vista. I don't need to worry about this trojan horse, because I'm running Linux and I don't even check e-mail on Windows. If I recieved an ELF (Linux executable) through e-mail, I wouldn't be dumb enough to run it, let alone run it with enough privileges to let it install a rootkit. And my e-mail program doesn't offer to automatically open files anyway.

Worm uses QuickTime to spread on MySpace

update A malicious video on MySpace.com pages changes people's profiles when played, embedding itself and adding links to fraudulent Web sites, experts have warned.

The video is a rigged QuickTime file that exploits a MySpace vulnerability and support for JavaScript in Apple Computer's embedded media player, Web security firm Websense said in an alert posted on Friday.

When played by a MySpace user, the video adds itself to the user's MySpace page and replaces the links on the user's profile with links to phishing Web sites, Websense said. Phishing sites are fraudulent sites that attempt to trick people into giving up sensitive information such as log-in credentials.

A MySpace representative on Monday said she could not immediately comment on the worm.

MySpace, owned by News Corp., is a popular social-networking Web site that is estimated to have more than 70 million registered users. The worm exploits a common type of Web vulnerability called a cross-site scripting flaw in the site along with a feature called HREF track in QuickTime that has legitimate uses but can also be abused, experts said.

"It seems that we have a MySpace worm on our hands, using a malicious QuickTime MOV file to spread," Mikko Hypponen, chief research officer at security company F-Secure, wrote in a blog posting Saturday.

The rigged QuickTime movie includes some JavaScript code that will be run automatically when an infected page is viewed with Internet Explorer, Hypponen wrote. This snippet of code modifies the user's MySpace profile. "After that, everybody who visits your MySpace profile gets hit too," he wrote.

The same happens when viewing an infected page with Firefox, according to a CNET News.com reader who had his MySpace profile compromised.

The object of the attack appears to get people to visit the phishing Web sites. These pages are crafted to look like MySpace log-in pages and prompt users to enter their MySpace credentials, according to F-Secure.

This is not the first threat to hit MySpace. Miscreants have exploited the popularity of the Web site before to steal personal information  and to spread adware. Also, some MySpace users have exploited weaknesses in the site to boost their fame.

Experts have warned that as Web sites are becoming more interactive, security needs to be to be top-of-mind, not an afterthought. The development momentum for many sites is all about features, with protections being neglected, they have said.

An infected MySpace page will include links to the fraudulent Web sites and a blue navigation bar that is not typically found on MySpace pages, according to researchers at FaceTime Security Labs.

"If this is the case, you will need to clean out your profile and check if any of your friends have also been infected," Chris Boyd, director of malware research at FaceTime, wrote in a blog post.

----------------

I'm not going to blame Apple for this one, even if Quicktime hasn't been engineered for security. I don't think any proprietry software company has really been thinking about how products can be misused to assist in phishing.

Interesting non-quoted quote from this article: Experts have warned that as Web sites are becoming more interactive, security needs to be top-of-mind rather than an afterthought. This quote was made in relation to web development. How do you expect web developers to do this when proprietry software companies won't?

In any case, I don't have to worry about this particular phishing attack. I so hate getting assaulted by YouTube videos and Flash music players when visiting Myspace, that I rarely go on it anymore. Even if I did, I've only got the Quicktime codecs themselves installed in Mplayer - and the MPlayer plugin for Firefox doesn't support the "Href" track.

Let me just start by clearing something up for a lot of confused Linux users.

The Mac OS X kernel is called XNU; presumably, this stands for "XNU is Not Unix". It really should be called XNL or XNF, for XNL is Not Linux or XNF is Not FreeBSD.

Contrary to popular belief, none of the most worrying security flaws in OS X are present in Linux or any of the BSDs. These are a result of Apple's shithouse security design. Really, what sort of idiot would design an operating system so you don't need to type your password before starting an installer, and having the package's install scripts running as root without even asking the user? (Windows users, you know where to send your flames).

Also, to answer an Ubuntu user's recent question: No, if Ubuntu was based on the FreeBSD kernel it would not be able to run OS X application. Firstly, Apple constantly changes its mind on which BSD's work it used for XNU/Darwin. Secondly, Apple have stripped out much of the BSD and added their own stuff. Thirdly, the kernel is not the key to running a particular operating system's programs; it's all to do with the system libraries. In OS X, the important system libraries are closed-source.

But anyway, here are some recent articles from Cnet.com which may make you glad that you run an operating system with a proper security system:

Attack code targets zero-day Mac OS X flaw

       

                                                        By                                       Elinor Mills                                
                Staff Writer, CNET News.com
                                                            

 

  Published: November 21, 2006, 2:17 PM PST  

 

A security researcher has published attack code for an unpatched flaw in Mac OS X, the latest vulnerability in the "Month of Kernel Bugs" campaign.

The proof-of-concept code exploits a security hole in the way Apple Computer's operating system handles disk image files, the researcher wrote Monday on a blog devoted to the campaign, which promises to reveal details of a new flaw in low-level software every day this month.

"Mac OS X com.apple.AppleDiskImageController fails to properly handle corrupted DMG (disk image) image structures, leading to an exploitable memory corruption condition with potential kernel-mode arbitrary code execution by unprivileged users," wrote the researcher, who goes by the initials "LMH."

The vulnerability could be exploited remotely, as Apple's Safari Web browser loads DMG files from external sources, such as one found while visiting an URL, LMH wrote. That could let an outsider compromise a system.

Secunia rated the vulnerability as "highly critical" in an advisory on its Web site on Tuesday. In addition to being used to compromise a computer, the flaw could be exploited by malicious local users to gain escalated privileges to the system, the security company said.

Apple representatives did not respond to a request for comment.

In the blog, researcher LMH said people can prevent an attack by "changing the Preferences and deactivating the functionality for opening 'safe' files after downloading."

Vulnerabilities in the Mac OS have been rising, leading some experts to note that the Macintosh platform is not impervious to security problems. The vast majority of security vulnerabilities affect computers running Microsoft Windows.

--------------------------
The program offers to automatically open files in a disk image? What is Apple - stupid? Absolutely off their rockers? This is similar to the "classic" example that the open-source community quotes regarding security policy on Windows. The classic example is actually of how MS Outlook once/does offer to open e-mail attachments automatically.
---------------------------

Adware sample targets Mac OS X

       

                                                        By                                       Joris Evers                                
                Staff Writer, CNET News.com
                                                            

 

  Published: November 27, 2006, 6:10 PM PST  

 

A new adware program silently installs on Mac OS X systems and opens Web browser windows, according to F-Secure.

The program, dubbed iAdware by the Finnish security company, is possibly the first example of adware for Macs. It is especially interesting since it doesn't require administrative privileges to nestle itself on the computers, according to F-Secure.

"We won't disclose the exact technique used here, it's a feature not a bug, but let's just say that installing a System Library shouldn't be allowed without prompting the user," according to the F-Secure blog on Thursday.

The program is a proof-of-concept sent to F-Secure and it is not out targeting users on the Internet.

"In theory, this program could be silently installed to your user account and hooked to each application you use," according to the F-Secure blog. "This particular sample successfully launched the Mac's Web browser when we used any of a number of applications."

Malicious software that targets Mac OS X systems is rare and has been limited largely to proof-of-concept code, instead of actual attacks. However, there are indications that hackers are increasingly targeting the Mac, which experts have said is not impervious to attacks.

For example, as part of a campaign called the Month of the Kernel Bugs, several new flaws have been disclosed in Apple Computer software, the latest on Monday in the AppleTalk protocol. Last week, exploit code was released for another yet-to-be-fixed flaw in Mac OS X related to disk image structures.

Apple could not immediately be reached for comment.

-----------------------------
You see, Apple is living back in the good ol' days, when only typesetters and musicians had Macs, and nobody with malicious intent had a Mac to experiment with. Apple didn't need to worry about security back then ("security through obscurity") and they have barely changed their attitude. OS X easily has the ability to become a huge virus/spyware/adware/hacking headache for its users.
-----------------------------

Apple Mac OS X patch plugs 31 vulnerabilities

       

                                                        By                                       Joris Evers                                
                Staff Writer, CNET News.com
                                                            

 

  Published: November 28, 2006, 4:11 PM PST  

 

Apple Computer on Tuesday released a security update for Mac OS X to repair 31 vulnerabilities, including a zero-day Wi-Fi hijack flaw.

Apple's Security Update 2006-007 includes fixes for flaws in Apple's own code as well as third-party components that ship with the Mac OS X operating system, such as Perl, PHP and OpenSSL. Several of the vulnerabilities could allow full system compromises, according to Apple's security alert.

However, Apple's update does not address all publicly known flaws in the operating system. Over the past few weeks bug hunters, as part of an initiative called the Month of the Kernel Bugs, have published details on several new vulnerabilities in Mac OS X. One of those was tagged "highly critical" by security-monitoring company Secunia.

"Apple hasn't fixed any of the bugs published during the Month of Kernel Bugs, except for the AirPort issue," said "LMH," the code name of the security researcher who started the Month of the Kernel Bugs. "Apple users are still exposed to any potential risks related to those unpatched issues."

The security hole in the AirPort driver software affects Macs that shipped with Apple's original AirPort card, Apple said. An attacker nearby the computer could commandeer a vulnerable system by sending it a malicious network packet, according to Apple's alert.

Other flaws addressed by the Apple update could let Macs be compromised through malicious sites, rigged compressed files or malicious font files, Apple said. The update also fixes four flaws in the Mac OS X Security Framework, the worst of which could crash Macs or display expired security certificates as still valid, Apple said.

The Security Update 2006-007 for Mac OS X client and server software is available from the Software Update pane in Mac OS System Preferences, or Apple's downloads Web site. Apple recommends Mac users install it.

----------------------------
The community has done the security auditing work that Apple should have done, and published its results. So what does Apple do? Ignore it!

Let's be clear about this, too. The open-source community put together security patches for its own components - Perl, PHP, etc; and released them straight away. Linux distributions packaged the new versions ASAP, releasing them as they became available. Apple, on the other hand, waited until it had a big bundle of non-critical patches before releasing the whole lot in one go.

This meant that: The most up-to-date Linux systems had no unpatched flaws the day before the OS X update was released, and at any one time would have only had 1 or maybe 2 unpatched flaws. The most up-to-date OS X systems had many unpatched flaws for days, possibly weeks, before the Mac OS update was released.

And Apple wonders why no-one wants to use OS X on servers...

But I don't need to worry about Apple's incompetence, and sorry about the swearing earlier.

Old Flaw Haunts New Microsoft Browser

Security firm reports another glitch in newly released Internet Explorer 7.

Jeremy Kirk, IDG News Service

A security problem originally found in Microsoft Internet Explorer 6 browser has returned to haunt IE7, the new version of the browser launched two weeks ago, a security consultant said Monday.

Danish security consultancy Secunia AsP posted an advisory regarding an issue where an attacker could potentially snare logins and passwords from an unsuspecting IE7 user. Over two years ago, security researchers reported the same fault in IE6.

Misled by Pop-Ups

If a user visits a Web site specially crafted by an attacker, and then opens a "trusted" site such as a bank or e-commerce site that has a pop-up window, the attacker can put new content into the pop-up, said Thomas Kristensen, Secunia's chief technology officer. This could enable the attacker to ask a user for financial information or passwords, he said.

When the problem was revealed in June 2004, Microsoft gave instructions for a workaround for IE6: disable the setting "Navigate sub-frames across different domains." That setting is disabled by default in IE7, but does not appear to prevent the attack, Kristensen said.

Microsoft has been notified of the flaw, which was submitted to Secunia by a user, Kristensen said. Microsoft officials did not have an immediate comment this morning.

Secunia rated the problem as "moderately critical," but Kristensen said the company was not aware of sites trying to exploit the flaw.

An alert user might notice that they're under attack: Since the URL for the pop-up window is visible, it may be possible to identify a fraudulent request for password information, for example. But "it would require you to pay some attention to the address bar," Kristensen said.

However, a clever attacker could also use this problem in combination with a pop-up spoofing weakness identified last week. Microsoft hasn't patched that problem.

Second IE7 Flaw

Following IE7's release on October 18, Secunia found a problem it shared with IE6.

The vulnerability allowed an attacker to potentially read information from a secure Web site if the user had also opened a maliciously crafted Web site. Microsoft said that the problem is actually in code called by the browsers in another application, Outlook Express, which remains unpatched.

http://www.pcworld.com/article/id,127703/article.html#

But I don't need to worry about it, as Firefox's programmers have a good understanding of what constitutes "security".

-------------------------

In backstory... finally got a message from Kym. Let's just say that I hope she gets better soon; and until she gets better I can't even have a non-speaking role in her life. Oh yes, it's raining in my heart as well as outside. I'm going to log into KDE and change the background of Desktop 2 (sorry, I just thought I should say something that would slightly interest Linux users ;-)  ).

This excellent article comes from the BBC. I seem to have lost the author's name. If you are the author or you know who is, please message me so I can give credit where it is due.

How the trap was sprung
If every hour a burglar turned up at your house and rattled the locks on the doors and windows to see if he could get in, you might consider moving to a safer neighbourhood.
And while that may not be happening to your home, it probably is happening to any PC you connect to the net.
An investigation by the BBC News website has established the scale of the dangers facing the average net user.
Using a computer acting as a so-called "honeypot" the BBC has been regularly logging how many potential net-borne attacks hit the average Windows PC every day.
Attack traffic
Honeypots are forensic tools that have become indispensable to computer security experts monitoring online crime. They are used to gather statistics about popular attacks, to grab copies of malicious programs that carry out the attacks and to get a detailed understanding of how these attacks work.


To the malicious programs scouring the web these honeypots look like any other PC. But in the background the machines use a variety of forensic tools to log what happens to them.
Perhaps one indicator of how useful these tools have become is seen in the fact that the most sophisticated attackers make their malicious programs able to recognise when they have trespassed on a honeypot.
The BBC honeypot was a standard PC running Windows XP Pro that was made as secure as possible. This ran a software program called VMWare which allows it to host another "virtual" PC inside the host. Via VMWare we installed an unprotected version of Windows XP Home configured like any domestic PC.
VMWare is useful as it makes it easy to pause the "virtual" PC or roll it back to an earlier configuration. This proved essential when recovering from an infection.

36 warnings that pop-up via Windows Messenger
11 separate visits by Blaster worm
3 separate attacks by Slammer worm
1 attack aimed at Microsoft IIS Server
2-3 "port scans" seeking weak spots in Windows software

This guest machine, once armed with some forensic software, became the honeypot.
When we put this machine online it was, on average, hit by a potential security assault every 15 minutes. None of these attacks were solicited, merely putting the machine online was enough to attract them. The fastest an attack struck was mere seconds and it was never longer than 15 minutes before the honeypot logged an attempt to subvert it.
The majority of these incidents were merely nuisances. Many were announcements for fake security products that use vulnerabilities in Windows Messenger to make their messages pop-up. Others were made to look like security warnings to trick people into downloading the bogus file.
Serious trouble
However, at least once an hour, on average, the BBC honeypot was hit by an attack that could leave an unprotected machine unusable or turn it into a platform for attacking other PCs.

Many of these attacks were by worms such as SQL.Slammer and MS.Blaster both of which first appeared in 2003. The bugs swamp net connections as they search for fresh victims and make host machines unstable.
They have not been wiped out because they scan the net so thoroughly that they can always find another vulnerable machine to leap to and use as a host while they search for new places to visit.
Their impact is limited now because Windows is now sold with its firewall turned on and the patch against them installed. Recently Microsoft said it was cleaning up hundreds of PCs hit by these machines every day.
Many of these worms were launched from different PCs on the network of a French home net service firm but others were from machines as far away as China.

There were also many attempts to probe the BBC honeypot to see how vulnerable it was. Hijacked machines in Brazil as well as at the Indiana offices of a public accounting and consulting firm carried out "port scans" on the BBC honeypot to see if it could get a response that would reveal how vulnerable it was.
Via the honeypot we could see these machines sending test data in sequence to the ports, or virtual doors to the net, that the PC had open.

More rarely, once a day on average, came net attacks that tried to subvert the honeypot to put it under the control of a malicious hacker.
Again these attacks came from all over the world - many clearly from hijacked machines. The BBC honeypot was attacked by a PC at a Chinese aid organisation, a server in Taiwan and many machines in Latin America.
Via the forensic tools installed on the honeypot we could see the booby-trapped data packets these bugs were trying to make our target machine digest.
By using carefully crafted packets of data, attackers hope to make the PC run commands that hand control of it to someone else.
Via this route many malicious hackers recruit machines for use in what is known as a botnet. This is simply a large number of hijacked machines under the remote control of a malicious hacker.
Botnets are popular with hi-tech criminals because they can be put to so many different uses. The slaves or bots in a botnet can be used to send out spam or phishing e-mails.
They can become the seeding network for a new virus outbreak or act as a distributed data storage system for all kinds of illegal data. Spammers, phishing gangs and others often rent a botnet to use for their own ends.
Often once a machine has fallen under someone else's control, a keylogger will be installed to capture information about everything that the real owner does - such as login to their online bank account.
This stolen information is often sold as few of those that steal it have the criminal connections to launder stolen cash.

----------------
But I don't have to worry about it. I've got no ports passed through on my hardware firewall. Ubuntu doesn't open ports by default, and I haven't opened any myself. All of the attacks on the honeypot only work on Windows machines.

However, as I occasionally connect Windows to the Internet to use the iTunes Music Store, I do kinda worry about it. I take every precaution, even running as a limited user account, but it definately gives me the desire to quickly download the albums I want and then stop using iTMS.

Symantec's communications director Chris Paden has said recently that Microsoft's own security package for Windows Vista will not be able to be removed from the operating system, even if a 3rd-party package is installed. Microsoft have reportedly ignored requests by security companies to allow the inbuilt package to be replaceable.

"It would be like trying to drive a car with two dashboards. This is going to cause a great deal of consumer confusion," said Mr Paden.

He also warned that Windows Vista had been engineered to resist the kinds of threats Windows was facing three years ago, much like how Windows XP was built against the short-lived Macro Virus threat.

EU Competition Commissioner Neelie Kroes has also expressed concern over the new security features, but in relation to possible breaches in competition law.

But I don't need to worry about it, as Linux distributions are built in a modular fashion that allows any part of the system to be replaced, including the built-in iptables firewall; and besides, anti-virus and anti-spyware software is not needed. Linux software is always built with security in mind, the kernel itself has always been built to resist threats from the Internet, and any new threats can be accounted for by any of the kernel developers at any time.

FROM AUSTRALIAN IT

MICROSOFT has released a security patch to fix a "critical" hole in its Internet Explorer web browser which it said could allow an attacker to take control of a user's computer.

The patch was released two weeks ahead of a regularly scheduled monthly security update after Microsoft said it became aware of a "public attack utilszing the vulnerability".

The impact on customers was "limited", Microsoft said

Microsoft typically issues security patches at the beginning of the month.

The flaw rated at critical - the highest level - existed in the coding for Vector Markup Language, or VML.

The company defines a flaw as "critical" when the vulnerability could allow a damaging internet worm to replicate without the user doing anything to the machine.

But I don't need to worry about it, as Firefox on Linux was designed and built with security in mind.

This new section is called "I don't need to worry about it". It's about the security problems that plague Windows users, but "for some reason" don't affect Linux users. Each time, I will take an article from a news source and repost it under this category.

This section is provided in the hope that some Windows users reading this blog will even just START using Linux. I don't mind if web browsing, e-mail and IM are the only things you start using Linux for, as long as you STOP USING WINDOWS ONLINE! Maybe, when you see these security problems concentrated, and are told about how Linux doesn't suffer this stuff, you'll consider switching part of your computing to open-source.

Correspondents in San Francisco
Agence France-Presse
From Australian IT

HACKERS using computer worms implanted via America Online (AOL) instant messages could assembling a "botnet" for sinister purposes, a Silicon Valley internet security firm said today.

  FaceBook security specialists advised users not to open any files sent to them via AIM.

FaceTime Security Labs identified the worm as "W32.pipeline" and said the executable software tricked its way into people's computers by posing as a picture attached to an instant message from someone on their AOL "buddy list."

Once in computers, the worms open the doors to download infectious software that essentially lets those behind the invasion take control of the machines, according to FaceTime.

"The motivation for the bad guys seems to be in lining up as many 'install chains' as possible to insure a consistent pipeline that can be controlled by their rogue botnet," FaceTime director of malware research Chris Boyd said.

AIM users are duped into letting the worms in through psychological ploy from the "social engineering" playbook, according to FaceTime.

The infected attachments are disguised as image "JPEG" files and arrive with AIM messages to the effect of "hey would it (be) okay if I upload this picture of you to my blog?"

The worm sends copies of itself to addresses found on AOL instant messaging (AIM) buddy lists of newly infected machines, FaceTime said.

The robotic computers can be amassed in a network referred to as a "botnet."

"FaceTime researchers believe that the ultimate goal of the W32.pipeline is to create a sophisticated botnet that can be used for a range of malicious purposes," the company said.

Botnets under the control of hackers can be mined for personal information or used to send junk email or overwhelm business websites with simultaneous requests in what are known as "denial-of-service" attacks.

Hackers could also use zombie machine armies to commit "click fraud" by having them repeatedly connect to internet advertising for which businesses are charged per click.

But I don't need to worry about it.